Sentencing commission ponders extra jail time for proxy users

The US sentencing commission considers whether computer criminals who use …

I'm betting Michael DuBose, chief of the Justice Department's Computer Crime & Intellectual Propety Section, is a Steven Seagal fan. At a hearing held Tuesday by the US Sentencing Commission, Dubose warned that "cyber-criminals are increasingly using sophisticated technological tools like 'proxies' to evade detection and prosecution." Naturally, I immediately thought of Under Siege 2: Dark Territory, in which the flabbifying action hero must track down nefarious hacker Travis Dane (playwright Eric Bogosian slumming for a paycheck), who has seized control of a government satellite weapon. Just when the grim-faced folks in the government command center think they've got a lock on the hijacked bird—bang!—the screens are filled with 50 "ghost" satellites Dane has created to throw them off the trail. Proxies!

In reality, of course, proxy servers and anonymous routing are not l33t haxx0r tools, but rather a feature of modern Internet use so commonplace and banal that Web surfers in corporate or university environments routinely make use of proxied connections without even knowing it. But the Justice Department is urging the Sentencing Commission to recognize proxies as "sophisticated means" automatically meriting stiffer penalties when used in the course of a computer crime.

Pursuant to the Identity Theft Enforcement and Restitution Act of 2008 (which wound up passing in September as a component of the Former Vice President Protection Act—ah, Washington!), the Commission's recommended penalties are supposed to take into account "the level of sophistication and planning" involved in a computer crime. Someone who makes use of "special skills" or "sophisticated means" to break the law gets their offense bumped by two "levels" of severity (out of a total of 43) when it comes time for sentencing. Though a complex table determines exactly what that means in a specific case, in general an increase of two levels seems to be worth an additional four to six months in prison.

The current guidelines offer some examples of what count as "sophisticated means": attempting to confound law enforcement by setting up shell corporations, establishing offices in multiple jurisdictions, or spreading ill-gotten gains among offshore accounts. A proposed amendment to the commission's guidelines would lump in proxy servers and anonymizers with such tactics:

In a scheme involving computers, using any technology or software to conceal the identity or geographic location of the perpetrator ordinarily indicates sophisticated means.

DuBose, who repeatedly sought to equate proxies with botnets, arguing that they are "often created by infecting victim computers with malicious software that permits the cyber-criminal to use the victim computer as a proxy without the owner’s knowledge or consent." The broad language proposed—which, of course, would cover all proxies, not just clearly illicit tools like botnets—was necessary to give guidance to computer-illiterate prosecutors and judges, DuBose averred, and would "prevent any confusion by reflecting the Commission’s unambiguous intent to include such sophisticated techniques within the scope of the [sentencing] enhancement."

Several other witnesses, however, cast doubt on DuBose's characterization of anonymizing technologies. Seth Schoen, staff technologist for the Electronic Frontier Foundation, said that these tools "do not necessarily require technical sophistication or indicate unusual expertise; they do not necessarily contribute to avoiding detecting; and they do not necessarily indicate premeditation or a commitment to a course of criminal conduct." He noted that he himself had authored a manual explaining how any ordinary computer user could make use of proxies to avoid Web filtering or censorship. He also urged the commission against conflating the sophistication of a tool itself—citing the anonymous and encrypted Tor routing system as an example—with the sophistication required to use it.

Attorney Jennifer Coffin, speaking on behalf of federal public defenders, concurred that a tool's sophistication "does not mean that an individual using it has himself done anything intricate or complex," noting that "most web browsers allow a person to route Internet activity through a proxy with just a few clicks of a mouse." Precisely because the technology is in such wide use, and for a variety of legitimate purposes, Coffin urged that a blanket sentencing rule made little sense, and that judges should determine on a case-by-case basis whether a criminal had used sufficiently unusual and elaborate means to merit a harsher penalty.

More generally, she argued, the deterrent effect of more severe penalties is typically dwarfed by that of the criminal's estimate of the probability of capture and conviction—and computer criminals tend to have relatively low recidivism rates once they are captured. Increasing punishment for criminals who use proxies, therefore, would be unlikely to either discourage their use or appreciably lower crime rates by keeping convicts off the street longer.

Symantec executive Vincent Weafer, who also testified, did not explicitly take a position on the proposed amendment. He did, however, advocate "a behavioral approach that focuses on punishing bad behavior vs. regulating the technology."

That's probably sound advice, but if the Commission does decide to define all anonymizing tools as scary "sophisticated means" by default, I modestly propose that they follow their cinematic inspiration all the way, and sentence convicted hackers to be dropped from helicopters by ponytailed martial artists. If we don't stop them now, after all, the only result can be Global Thermonuclear War.

26 Reader Comments

Let me get this straight - if I'm going to commit computer crime, I need to use the least sophisticated tools possible to get a lesser sentence? So they'd prefer it if I forced the bank manager to make the transfer at gun point than if I used something "advanced" like a proxy, or heaven forbid a web browser.

This kind of legislation seems wasteful, because if you are going to commit computer crime, chances are you will need tools. So anyone who commits computer crime gets an automatic +4-6 months to their sentence. Why not just change the law/sentencing whatever to reflect this? Or better yet find out what you are legislating on before you do the legislating.

So basically, script kiddy who hacks from home and manages to bring a botnet against a company causing massive site slowdowns could get a much much lower sentence than a moderate hacker using "standard means" (that includes proxies to me; after all, any decent hacker is going to attempt to hide their trail, duh!) who breaks into a processor and actively steals information. Yeah, right, that's fair.

Punishment should be based on the outcome and actual damages, not how they did it. That's like saying Murderer #1 deserves a lower sentence because he only used a single shot to the head to kill his victim, but #2 deserves a higher sentence because he used a knife to the gut. Does it matter? Both victims are dead.

Seems like a silly argument to me. It's the digital equivalent of giving a bank robber that uses a getaway car a stiffer sentence than a bank robber that uses a getaway bicycle. I understand that intent has meaning in the law, but I don't think that criminals should get lighter sentences because they are stupid or unsophisticated. Both of them intended to get away with their crimes.

This doesn't surprise me much, but it is pretty stupid. They are thinking of this the same way one might think of "police evasion" or "destroying evidence" issues. Even here I think the reasoning is tenuous at best, but it gets even worse with computers.

Formatted that drive? Maybe you just destroyed evidence of a crime you didn't know you committed. Then, next week when you get arrested for said crime, they think you formatted it on purpose to throw them off. Further, with the proxy idea, maybe you didn't realize you were connecting through a proxy, or even if you knew, maybe you were just trying to keep your privacy.

The problem with these sorts of laws is that they infer intent. They assume the act was done in an attempt to throw law enforcement off your trail. This leaves two problems:

1. Maybe you weren't doing the action for that reason. This is especially true with computers where data is deleted all the time and proxies are common place.

2. Even if you did mean to throw them off, well duh! A criminal doesn't want to get arrested, hence all of them will try and throw off law enforcement in some manner.

What comes out of this is the logical conclusion: its pointless. Criminals will still resist being convicted of a crime, its only natural to do so. This type of rule will never have an effect on crime since it presupposes a criminal is worrying or gives a damn about such things.

So they currently need to decide between a thief wearing gloves and a mask because it was cold that night or to avoid leaving fingerprints and being identified?

Once again, because it's 'new' and 'technology', it must have special rules attached.

This will lead to stupid rules like:

-if you embezzle money from a bank electronically, you get, say, 5 years-if you rob that bank with a gun, you get 7 years-but if you embezzle money from a bank electronically through a proxy you get 8 years

holy cow, are all of you people hackers? you actually want to be allowed to do this? you shud all go to jail for life. end of story. im sick of this hacker garbage. you are all committing crimes far worse than walking into a bank with a gun. you'r all freaks and deserve to die.

Aren't there already laws pertaining to this already at the national and state levels?

I have an easier solution... to increase jail time add more charges - duh!

I really hate it when legislators think that have to create new laws when they already have ones that cover a situation in place. For example, using a cellphone while driving - wouldn't this fall into a distracted driver law. No, we must cover every possible situation. What's next - a law banning trumpet playing while driving (I've seen it), or increased penalties for using bullets with your gun during a robbery?

Who's to say a simple NAT firewall isn't a circumvention device under these guidelines?

johnholy cow, are all of you people hackers? you actually want to be allowed to do this? you should all go to jail for life. end of story. im sick of this hacker garbage. you are all committing crimes far worse than walking into a bank with a gun. you're all freaks and deserve to die.

Hy john, the only real difference between a black hat hacker and a white hat hacker is a thin line of morality. In other words, any decently competent system admin in the world could reek utter havoc upon any given system they so chose. So you see, it is you who are the fool. All of them are "hackers". That is what they do do in essence. They keep the Internet that you are using running with those skills.

Saying that they "deserve to die" is also equally retarded. So you consider "hacking" worse than 2nd Degree Murder? If so that is very lame to say the least.

This law is just another attempt at looking tough on electronic crime. In the long run it will not have very much effect in real world ways, but it will make some politicians look great in the eyes of their constituents.

Sounds like he's just confused. He uses botnets as an example of proxy servers.

For botnets, I'm all for adding to the sentence. After all, they represent an additional crime of taking over lots of people's computers.

But proxy servers? Lots of people use them for every day computing. Some people say it is the only way to be safe when using public wireless networks because you can encrypt everything going over the air.

Basically, if the criminals use an illegal activity (botnets, hiding money from the IRS in offshore accounts) to assist in their crime, then by all means add to the penalty.

But we are really going down a dangerous slippery slope when we change the law so that certain perfectly legal activity can add to the sentence for crimes.

Originally posted by john:holy cow, are all of you people hackers? you actually want to be allowed to do this? you shud all go to jail for life. end of story. im sick of this hacker garbage. you are all committing crimes far worse than walking into a bank with a gun. you'r all freaks and deserve to die.

john = hacker?!?

- It's his first post- When viewing inline with the article he has a star next to his name denoting him as an employee of Ars.- If you view his public profile is says his name is "aquahealer" and his "Date Registered: 3 hours from now"*

johnholy cow, are all of you people hackers? you actually want to be allowed to do this? you should all go to jail for life. end of story. im sick of this hacker garbage. you are all committing crimes far worse than walking into a bank with a gun. you're all freaks and deserve to die.

Hy john, the only real difference between a black hat hacker and a white hat hacker is a thin line of morality. In other words, any decently competent system admin in the world could reek utter havoc upon any given system they so chose. So you see, it is you who are the fool. All of them are "hackers". That is what they do do in essence. They keep the Internet that you are using running with those skills.

Saying that they "deserve to die" is also equally retarded. So you consider "hacking" worse than 2nd Degree Murder? If so that is very lame to say the least.

This law is just another attempt at looking tough on electronic crime. In the long run it will not have very much effect in real world ways, but it will make some politicians look great in the eyes of their constituents.

"The accused used sophisticated mathematical tools like counting to determine the amount and value of the money he stole. He also used advanced social engendering skills such as not telling us he committed the crime to cover his tracks."

Think that by defining criminals computer technology can be defined ? Problem being those that define them,or develop them should fear of discovery or usefullness (from law enforcement) or the advantage gained from the technology itself.?

If to this vain,the certain jeoulosy of law enforcement to use of technology (if perhaps without it themself) ,means that it shouldn't be used unless equiped by law enforcement.?

Law speaks in all sorts of cryptic already.The statement:""do not necessarily require technical sophistication or indicate unusual expertise; they do not necessarily contribute to avoiding detecting; and they do not necessarily indicate premeditation or a commitment to a course of criminal conduct."" - is pretty forebearing.

If it was that the subject of audience gain was that of consideration here(this article here),then perhaps the comparable listing would be to that of the audience actually pertaining to clandestine law enforcement. Rather than who might benifit from knowledge of their existance. Since I would not feel jeolousy here. Although I know the audience not 'hearing',is the implementation of the deafness that is certainly all encompassing as much in and of itself.

Separate criterias in separate vains. Certainly. A "reasonable expectation of security",vrs being exposed,or having regulation that to be so by the same entity requiring being exposed . I dont think there are not court nerds for example,or there are prosecuting nerds,although defence nerds are probably just as respectable as say law enforcement. There are law maker nerds,and then the big what have you nerd.

We would be more suspect of being w/o 'reasonable expectation of security'',than a law enforcement,that is w/o means to detail the same. Even on the general perceptable level- that we might consider realistic. Proxies,anonymotity,cryptography,its the expectation of that security that gives us the right w/o the detail. Necesary of the government. I dont think that trying the separate premises will create more detail. Even for law enforcement.

Think there should be a differnt type of court,and a different type of law enforcement officer .

I remember some kind of advertisement one time where (perhaps it was for some hollywood movie),this guy pulled his head off of his shoulders,lowering to his waist ,on his side and said 'ahhh,that feels better".

This stuff is all backwards,with lawmaking becoming the 'dramatic'rather than the implementable. The computer stuff is pretty volatile. Still in just what manner has not been listed or detailed. When law comes up with things using the wrong criteria,along to the wrong premise,then there is only a 'yes,or no'in whatever code,say 'criminal,vrs regulation' there is something there that is not much to be considered for it. Least common denominator is certainly multiplicative,but for which certainty a direction ?

If there is to be badge shining,then the audience should be at least in sync. (*)....the separate directions are separate destinations as well. If there is a type of new criminal based on a certain technology we will be safer from ourselves.Bah.

Originally posted by john:holy cow, are all of you people hackers? you actually want to be allowed to do this? you shud all go to jail for life. end of story. im sick of this hacker garbage. you are all committing crimes far worse than walking into a bank with a gun. you'r all freaks and deserve to die.

Wait until you get accused of a computer crime. Should you go to "jail for life" or "deserve to die"? You are exactly the kind that leaves a wireless connection unsecured by accident and you and your types should take full blame for this action.

I quote Ayand Rand:"Did you really think we want those laws observed?" said Dr. Ferris. "We want them to be broken. You'd better get it straight that it's not a bunch of boy scouts you're up against... We're after power and we mean it... There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced or objectively interpreted – and you create a nation of law-breakers – and then you cash in on guilt. Now that's the system, Mr. Reardon, that's the game, and once you understand it, you'll be much easier to deal with." ('Atlas Shrugged' 1957) {WMail Issue #23}

Ayn Rand is a true cynic. She doesn't appear to have given true thought to much, only producing a massive overreaction to what she grew up with in Russia.

Interesting to me that several people equate severity of punishment to the outcome of the crime. Why is the punishment greater for murder than attempted murder? The intent was still the same - the fact that the bullet ended up one inch to the left and therefore didn't kill the person doesn't change what the person did.

Notwithstanding the excellent point that the article raises regarding the way proxies are routinely and often transparently used, if it is the crime that is injurious to society then what does it matter to that society whether or not the person committing it took steps to avoid capture? It seems illogical to punish someone further just because they took such steps. In pushing for this, it's as if Mr. DuBose is trying to imply that there's some kind of "law of crime" whereby if you play by the rules and don't try to hide yourself while you commit one, you get a lighter sentence. To me, this is absurd.

Originally posted by hux:Notwithstanding the excellent point that the article raises regarding the way proxies are routinely and often transparently used, if it is the crime that is injurious to society then what does it matter to that society whether or not the person committing it took steps to avoid capture? It seems illogical to punish someone further just because they took such steps. In pushing for this, it's as if Mr. DuBose is trying to imply that there's some kind of "law of crime" whereby if you play by the rules and don't try to hide yourself while you commit one, you get a lighter sentence. To me, this is absurd.

Excellent point.

Although...I mean I can see the shell corporations and stuff like that. They're obviously bad, etc. So I can sort of see that, but...proxies? Geez.

I want to know what they're defining as a proxy. If you use the normal computer science definition then it would apparently exclude the likes of botnets because the botnets don't cache or modify the requests in transit, they just pass them along the same as routers do. By contrast, using a broad sort of dictionary definition would seem to include every router on the internet because they all act as a go between for the two endpoints.

It seems like what they're after is intermediaries that substitute their own IP address for that of the endpoints, but with that definition you're still picking up the NAT routers that better than 50% of users connect through.

I still don't even understand why they need "computer crime" laws in the first place. Fraud, embezzlement, vandalism, these are all actionable whether done over the internet or otherwise. Is there any practical difference between committing fraud via the internet vs. the postal service? No. Do we need separate laws? No. So close the department of redundancy department, stop filling the law books with this unnecessary tripe, and charge the criminals with the same crimes whether they used the internet or not.

Well I'm glad I'm not in the minority thinking this is just stupid on so many levels.

We all use proxies everyday if we use the net at work, lots of us use them at home or when we're travelling. I mean we use HTTP to request and receive all our web pages - a protocol that is in clear why shouldn't some of us use proxies, ssh tunneling to protect our information - doesn't mean we're up to no good.

If you've ever connected to a hotel wifi system and started a network sniffer you'll see how much privacy we have.

It's a technology that people use everyday, trying to criminalise it - is ridiculous. Target criminals, catch them and punish them on their crimes not how hard it was to catch them. You might as well base their sentences on their IQ if you follow this absurd logic.

And actually I believe TOR development was actually initially began using a European Union grant (although I am not 100% sure on this)

I use a proxy to watch the BBC when I'm travelling - is that criminal behaviour (I do pay a BBC TV licence fee btw) ???

johnholy cow, are all of you people hackers? you actually want to be allowed to do this? you should all go to jail for life. end of story. im sick of this hacker garbage. you are all committing crimes far worse than walking into a bank with a gun. you're all freaks and deserve to die.

Hy john, the only real difference between a black hat hacker and a white hat hacker is a thin line of morality. In other words, any decently competent system admin in the world could reek utter havoc upon any given system they so chose. So you see, it is you who are the fool. All of them are "hackers". That is what they do do in essence. They keep the Internet that you are using running with those skills.

Saying that they "deserve to die" is also equally retarded. So you consider "hacking" worse than 2nd Degree Murder? If so that is very lame to say the least.

This law is just another attempt at looking tough on electronic crime. In the long run it will not have very much effect in real world ways, but it will make some politicians look great in the eyes of their constituents.

Don't feed the troll, etc. etc.

I was originally going to say something similar, but john's post is so painfully sarcastic I doubt he's trolling.